Posted
by
Soulskill
on Wednesday July 25, 2012 @01:34PM
from the now-you-eyes-are-slightly-safer dept.

Maximum Prophet writes "If you've ever had your eyes scanned, be sure to install new ones every 90 days. Wired reports on research being released at Black Hat: 'The replica images, they say, can trick commercial iris-recognition systems into believing they’re real images and could help someone thwart identification at border crossings or gain entry to secure facilities protected by biometric systems. The work goes a step beyond previous work on iris-recognition systems. Previously, researchers have been able to create wholly synthetic iris images that had all of the characteristics of real iris images — but weren’t connected to real people. The images were able to trick iris-recognition systems into thinking they were real irises, though they couldn’t be used to impersonate a real person. But this is the first time anyone has essentially reverse-engineered iris codes to create iris images that closely match the eye images of real subjects, creating the possibility of stealing someone’s identity through their iris.'"

If these types of scanners ever become common, all you would need is one untrustworthy scanning station to steal your identity (and then impersonate you at all other stations). And the problem with biometrics, of course, is that they can't be changed. Biometrics were never a good idea.

They do not uniquely identify an individual anymore than having my drivers license makes you me. They like all other forms of identification are copyable.

The problem is not the copying, it is the verification that is the problem. At this time the verification process can be spoofed, that most probably will not always be the case.

Much like if I went and made a photocopy of your drivers license. The copy may fool other devices that read a license in the same way that the copy was made, but it won't fool more advanced devices. And that photocopy definitely will not fool a police officer.

Your driver's licence uniquely identifies you whether I have it or you have it. Copying your driver's licence doesn't reduce its ability to identify you. However, merely possessing your driver's licence should not be sufficient for me to authenticate your identity. Only you should be able to do that. So biometrics are useful for identification but not authentication.

No they don't. They uniquely identify part of an individual. All I need to do to impersonate you is to remove your eye, finger or any other part of you that gets scanned.
You can torture out someones password, but the easiest way to fool an iris scanner is to pluck out some poor bastards eye. Finger print scanner? Chop off their finger.

If these types of scanners ever become common, all you would need is one untrustworthy scanning station to steal your identity (and then impersonate you at all other stations).

So, um, where would one of these untrustworthy scanning stations be set up?

And the problem with biometrics, of course, is that they can't be changed. Biometrics were never a good idea.

Biometrics is a very good idea, it just needs to be implemented in a way that doesn't allow one to cheat. Such as when you get your fingerprint scanned the scanner should also do a check to make sure it is actual skin instead of a silicone copy.

To securely do an iris scan though, that would not only be tough to design, it would also mean that people who wear contacts would not be able to use an iris scanner.

Like airports and border crossings? Yes, I guess if it is state sponsored they could put an untrustworthy station in place there, it is just unlikely to ever happen, at that level they probably already have the information. More likely I guess is private organizations that use iris scanners, it would still need to be an inside job though.

The fingerprint scanner will then have to deal with better and better synthetics.

And so will those looking to get past the scanner. I would imagine that at some point with fingerprint scanners that they will be looking beyond the fingerprint and also

Doesn't really invalidate the point—I mean, what it amounts to is that iris scanners, traditionally thought of as extremely high-security items, are only really practical for low-security stuff where it wouldn't be worth the cost/risk/bloodshed/etc. to (a) kidnap someone to prototype from their eyes or (b) take what you need a la carte. You still wouldn't want to use it for a military installation.

It seems to me that it would be easy to prevent that particular attack just by checking pupil reaction. If it doesn't react, the eye isn't attached to a living organism and shouldn't be allowed. Additionally, nothing high security should ever be single factor authentication anyway.Biometrics done right are really good, biometrics done wrong are our worst nightmare.

Well, even if you were willing to alter your DNA in an effort to make biometric ID systems viable (and you would be insane), and even if you engineer a retrovirus that can reliably alter a given sequence in your DNA (they tend to insert their small payload at random locations in each cell) there's still the issue of your irises and fingerprints aren't based on DNA and certainly aren't maintained by continued DNA expression.

Transgenic mice are generally made by homologous recombination in single embryonic

No, viral insertion works by literal infection of cells. You're confusing germ distribution, where you alter the DNA once, with viral DNA insertion at a spot, which infects a literal cell and uses the cell mechanism via a docking ligand to deliver a target viral payload which inserts itself into the cells DNA.

We make cancer cells glow so that we can perform surgery on them. It's not the cancer cells we target per se, but all cells. The cancerous cells have certain biochemical characteristics which are used

Nevertheless, changing your DNA will not change your iris, or the gross physical structure of any organ; not until the cells within the organ are replicated according to the new DNA. For example, if I replace the blue iris DNA with brown iris DNA, I will not suddenly have brown eyes. It will take months, or possibly even years for that kind of change to take place, depending on the rate at which iris cells replicate.

The clandestine services will simple send their people through with fake iris contact lenses the first time, and once for every identity needed. Then when they need to be "Joe Shablocknic" today, they just select the "Joe Shablocknic" eyes from the kit, and viola, new identity. They'll make the the spy's real eyes are never scanned by a 3rd party.

What this research shows is that they could send an iris printer with the spy. Then send him the codes for new eyes.

Seriously, you would test the system, first by observing how the guards work, then by sending people through who are expendable, or diplomats with get-out-of-jail black passports. If all that fails, and you get pulled aside for a random search, have a co-worker create a diversion and slip away.

The security comes from the verification process. If you're pulled over while carrying someone else's driver's license, then holding up a picture of that person to the police officer is not going to let you impersonate that person.

The reason we're used to thinking in terms of secrecy is that it's the only way to make passwords exclusive to particular users.

The major problem with *magic* solutions, is that leader types look at them and say "Wow, Iris Scanners, I could never fool one of those, so nobody could fool one." People have the same reaction to physical locks.
This leads to security theater. Yes, it stops stupid criminals, and yes it can be a good thing when you stop stupid criminals, but when you want to stop people flying airplanes into buildings, or stock traders from racking up $2 billion in fraudulent losses, magic dohickys aren't the solution.

Good observation. Some forms of crime are more acceptable than others.

I'm not sure I'm not on board with that. Imagine a world where there was no violent crime or real property theft. If your bank account was stolen, you get it back in 90 days.
In such a world, keep several bank accounts and several credit cards, and regular normal people are safe.

If you could live in a world where all crime was crime against large corporations, and all war was cyberware, would you? What would you give up to live

Point is, with advancement of remote scanning techniques your iris could be just as easily picked from distance as any RFID - no need for physical contact as with the physical key, for example. So, unless you are planning on wearing some advanced sunglasses all the time, your iris essentially becomes "something you have", nothing more.

I believe that there's a 4th kind of factor: something you can do. For example, you might be able to pick out some of your favorite items, even though you don't remember which favorite items you registered. Or you might be able to type your password in a different rhythm than anyone else can (without a lot of practice); again, it's not something that you can memorize/remember/know, and it's not really something that you are or have.
Bruce Schneier has an article on one of these kinds of authentication fact [schneier.com]

New technology is nice and all, but for every lock ever created there will be a lock pick for it.

The only thing is, the more expensive the lock, the more expensive the lock pick is supposed to be. That's the real measure of the effectiveness of a lock. I.e., an expensive lock that can be picked in an inexpensive manner is an ineffective lock.

People had to know this was coming, it's painfully obvious and is obvious with all such technology. Algorithms are used to validate, and one only needs to do reverse engineering of 2 aspects. 1) Math function to match data. 2) input mechanism used to get test data.

The same thing was done with fingerprint scanners, and why we did not have a mass adoption. Jello was found to be the easiest way to lift and place fingerprints (This trick was used at a DOD site during our pilots.)

And this is exactly why duresse codes exist. if you can give them a "something you know" that gets help dispatched quickly, without tipping off the bad guys, you're in a lot better position. (and they don't dare kill you until they've verified that the information they extracted from you is accurate)Also improvements to the technology authenticating the "something you are" to make copying impossible is a good thing because it forces them to take you to the authentication device, giving you some measure of t

The point isn't to stop them before detaching your eyeball, it's to make it pointless for them to bother. If they know that a detached eyeball won't work, why would they detach it? someone could come cut my eyeball out right now, but the lack of any authentication system making use of it means there is no reason to do so. similarly if all authentication devices require a LIVE eyeball, criminals will have no use for a detached one.There is no police force, alarm system, or other security force in existence t

Unfortunately, all three of those are really just "something you know."

If I have a 5-pin tumbler key and each pin has a depth setting of 0-5 then I really just need to know a 5-digit, hex (not hexadecimal) number and I can recreate the key. If I have a reading of a fingerprint all I need to do is experiment with fingerprint printing or fingerprint re-forming technology until I get a copy that can pass for the original.

Even an RSA keyfob, technically, can be copied if I can rip it apart in a manner that let

Two of those three factors - the "something you have" and the "something you know" can be changed. You can be issued a new security card, and you can change your password. The third factor - "something you are" can not be changed. This makes it a lot weaker than the other two factors because if at any time in your history it has been stolen, then it is no longer secure and useful - ever again.

What do you do when your security system requires all three factors, but you already know the "something you are

The perfect identification system - is there none? Can everything be faked and replicated? In the end what is the most defining characteristics of a person's identity? One can for example create a complete fake identity and mimic a body with the help of non intrusive / intrusive technology. Perhaps the uniqueness comes from the constant flux - the actual logic or pattern of the changes in the person's life and body. Proving an identity completely means that the technology would follow the person anywhere and monitor the changes. How far is it necessary to actually go? The kind of systems can be abandoned once there's enough trust to not need them at all and/or there's nothing to guard.

Ok, so current systems can be tricked with photographs, and that seem pretty silly. But future versions could record stereo images while altering the illumination of the subject's eye. Properly functioning (attached) human eyes should have irises that dilate with extreme changes to illumination. By masking the subjects eye or eyes from the surrounding environment and changing the illumination levels over time, a complex system could measure pupil dilation characteristics to evaluate if the eye before it is

Yes, these can be improved, but they are trying to be simple, fast, and cheap. When you have 200 people standing in line waiting to get on an airplane, Voight-Kampf'ing everyone is a non-starter.
Simply going to retinal scans makes fooling the system much harder, but retinal scanning is slower than iris scanning.

That neeeeeever happens in today's world of OS security, now does it? And what happens when researchers find a vulnerability in a computer system? It usually gets patched pretty quickly.

This one will not take long to patch. In the "can you tell which is which?" pictures, I picked the synthetic iris with 100% accuracy, in less than 3 seconds of inspection. Yes, I work actively in the biometrics field...but guess what? So do the folks who build these systems. I will hazard a guess that Neurotech (and L-1,

Well the problem happens when the researchers that find the vulnerability are working for people who would rather exploit a vulnerability then patch it. Of course you're right in saying that no system is without it's flaws (at least I think that's what you're saying).

I worked on early iris recognition software and we had already worked through this scenario way back then. If the scanner was worth it's salt, it would be doing what we did years ago...

1) Verify that the eye reacts to changing light conditions... Pupils should contract or dilate when required.2) Verify that the eye isn't flat (i.e. a picture). Proper specularity orientation from changing light sources (we used infrared) to identify the curvature.3) Glowing pupil under infrared, dark with different lighting.

All biometrics can be fooled if the biometric sensor system alone is all you are using for the security.

Biometrics only uniquely identifies a person. You still need another person (security guard, for example) or technology (detect a live human being and/or a real eye) to verify it is a person that provides the biometric input. This is to prove an actual person is there.

Until someone switches eyes out (improbable) or finds a way to implant the iris image of another individuals eye within their own eye (impr

the eye scanners they had there measured iris geometry and pupil size and response. They were easily spoofed with psychoactive substances, because calibrated from a baseline measurements. If you could make the the baseline wasn't really baseline, subsequent tests would look a-ok